Ransomware: How to protect your firm from attack

Due to the sheer volume of ransomware and the efficiency with which attacks are carried out – not to mention the abundance of platforms, apps and IT tools that offer bad actors a way in – most experts believe that firms should take the stance that it’s not a matter of if they get hacked, but when.

As a result, the mantra ‘never trust, always verify’ has become this decade’s de facto cyber security approach. This strategy of ‘zero trust’ assumes that untrusted actors exist both inside and outside the corporate network and every user access request must be authorised. This also means deploying multi-factor authentication (MFA) to access IT systems and updated access lists, according to Oisin Fouere, head of cyber incident response at KPMG UK.

“Organisations should be taking a zero-trust approach, placing identity at its core,” says Fouere.

“With a combination of asking all users to authenticate themselves on a regular basis to access a network and only giving people the rights and access needed to perform their role, risks are minimised and any incidents that do occur can be more easily contained,” he adds.

Besides verification, the other pillars of zero-trust security include validating devices, limiting access to privileged users wherever possible, and then applying machine learning and AI to all these factors to step up the authentication processes where necessary.

Malware detection techniques are also recommended to prevent attacks before they infiltrate a network. Lewis West, head of cyber security at Hamilton Barnes, broadly outlines three common methods of ransomware attack detection.

“Signature-based ones compare ransomware sample hash to known signatures; the second method compares new behaviours against historical data while the third, a deception-based method, use a ‘honeypot’ to deceive malicious actors into interacting with a decoy system to expose what the hacker’s intentions are.”

Ioan Peters, head of cyber risk at Kroll adds that deploying a managed detection and response (MDR) solution, benefitting from curated threat feeds, on-hand expertise and tactical advice can also mitigate some of the threats that are evolving daily.

Addressing concerns over software vulnerabilities, Nigel Thorpe, technical director at Secure Age adds that these can be alleviated in part by controlling and listing permitted software within your organisation.

“Most business PCs are built to a standard which includes all the software which the user needs to do their work. There’s rarely any need to add to this. So, if you deploy an ‘application control’ system which only allows software within that standard build to run, then any ransomware attempting to execute will simply not work. It’s like the bouncer on the night club door – ‘if you’re not on the list you’re not coming in’,” he says.

He adds: “This approach avoids all the grey areas around the complicated effort of trying to work out if every application, script or macro is likely to be malicious or not; it’s a simple case of checking to see if it’s on the list or not.”

Given that ransomware attacks are rapidly evolving to counter preventive technologies, experts also believe that firms should also be taking a less static and more strategic approach to defence – which involves looking at recent data and pinpointing the most likely threats.

Muhammad Yahya Patel, a security evangelist Check Point Software, says: “It’s crucial for organisations to use intelligence to improve their awareness of the way an attacker works, identifying potential countermeasures and apply those before the criminal group infiltrates their network.”

Securing SMEs

Research from cyber security risk rating firm RiskRecon reveals that data breaches within small businesses jumped 152% globally between 2021 and 2022, outlining a trend that sees hackers moving away from ‘big game’ and increasingly targeting the mid-market.

“Malicious actors are increasingly targeting SMEs – either to gain access to their sensitive data or to reach larger organisations through the supply chain – but despite the risks, SMEs don’t necessarily have the skills or resources to build an advanced security architecture,” observes Censornet’s CTO Richard Walters.

So, what steps can SMEs take to defend against ransomware? The received wisdom within cyber security used to be that firms should have multiple vendors of firewall technology to prevent a ransomware attack. However, having seven or more different services to manage risk often requires a bigger team of IT security engineers, which SMEs don’t typically have the capacity for.

Our security experts agreed that smaller firms would do well to kick start their security by learning to do more with less – consolidating security solutions to a single platform to manage the number of alerts that come through.

“Operating one single platform is easier to manage, eliminates complexity and enables business to respond to more complex threats at faster speed and with greater accuracy,” says Walters.

Alexandra Willshire, senior sales engineer at Forcepoint, advises SMEs to create a unified strategy with a product “that can encompass the entire environment instead of a patchwork of products that can introduce risk inadvertently.”

Others point out that there are also plenty of free or inexpensive measures that provide effective baseline protection against known risks. Jason Illingworth, principal analyst at NormCyber, suggests setting passwords to three random words.

“Organisations needn’t bother with numbers and symbols anymore – cyber criminals can crack passwords like ‘BusinessName2020!’ almost instantly. Instead, the NCSC now advises organisations to use three random words, made up of upper and lowercase letters.”

Illingworth also points out that multi-factor authentication is a free feature built in to most software applications today. “Even if a cyber criminal obtains the password, a unique six-digit passcode is often enough to stop them from gaining access to vital accounts – it’s your second line of defence.”

Keeping systems updated, rather than ignoring updates and installing antivirus software are other key measures all firms can take.

Bob Kolasky, senior VP for critical infrastructure at Exiger also points to the government agencies, such as the US Cybersecurity and Infrastructure Security Agency, and non-profits, such as the Cyber Readiness Institute, that have put in place guides for how to implement cyber security practices in a low-cost manner.

Training

Given that the weakest link in any organisation is generally agreed to be its people, Mark Brown, a behavioural psychologist and founder of cyber security training platform Psybersafe believes that arming employees with training is an essential part of ransomware prevention.

“Cyber security is all about human behaviour. Our research shows that the biggest issue in developing a cyber secure workforce is target awareness – the realisation that you and I – every individual is a potential target.

“Once a person accepts this and believes it, their motivation to pay attention to cyber security messages increases, as does their willingness to adapt their behaviours and current ways of doing things,” he says.

However, Brown adds that taking a ’tick-in-the-box’ approach, providing a video or webinar once or twice a year, just doesn’t work. “Training needs to be continuous, engaging and practical for people to take note and implement the desired behaviours.

The psychologist also observes that organisations tend to silo day to day cyber security activity and don’t involve other staff – which is usually to their detriment, he claims.

On this note, Trend Micro’s Duke agrees that security teams need to be brought “into the fold” more so they can help foster good working relationships between teams and improve the speed of response, with established lines of communications making it easier to identify and remove potential barriers to IR before an incident occurs.

Call for backup

The reason a ransomware attack can be so devastating is because a business can find itself with no alternative but to pay to restore its data. However, if a company knows they can restore their data to a clean state due to a backup, they will have greatly minimised the disruption and pain associated with an attack.

According to Lawrence Perret-Hall, director at CYFOR Secure, when it comes to data backup, enterprises should follow the rule of three: smaller, more frequent and incremental back-ups for business restoration, alongside full back-ups, encrypted and stored on an entirely separate network.  Finally, create a third set of long-term back-ups separately, and store them on tape.

“Ultimately, while it may sound excessive and expensive, having three lots of back-ups will be far more cost-efficient than falling victim to ransomware unprepared,” he says.

“What’s more, keeping separate back-ups will avoid the issue we see time and time again in ransomware recovery, where back-ups themselves are infected because they are stored on the same network in order to reduce recovery time,” Perret-Hall adds.

WFH risks

As more of the workforce transitions to working from home or hybrid working models, it’s also vital that firms identify the vulnerabilities that external remote services present, particularly ones that were set up hastily, as a reaction to the pandemic.

The traditional ‘castle and moat’ approach to cyber security no longer works since we’re no longer barricaded inside the ‘castle’,” explains Hamilton Barnes’ Lewis West, who adds that investment needs to come in three areas.

“Improving the tooling in place; improving the attitude of employees to security risks and investing in the right expertise that can support a business’s cyber security.  Businesses should also use web security solutions that manage web activity of remote employees by inspecting all SSL (encrypted) traffic to expose threats,” West adds.

Todd Moore, VP for Encryption Products at French aerospace firm Thales’s cyber security division, believes that data encryption can act as an essential line of defence against ransomware attackers targeting remote networks.

“When cyber criminals infiltrate the home or remote network, it’s essential that any data that’s stolen is properly protected so that it can’t be read by unauthorised actors. The keys used to encrypt data should be centrally managed through multi-level access controls to ensure that encryption cannot be “undone” by hackers,” he says.

Given that every individual device is a gateway to an organisation’s main network, having endpoint and mobile security is also central in protecting the remote or hybrid workforce.

“This hasn’t been missed by cyber criminals which is why we are seeing more and more phishing emails and scam text messages targeting end users’ mobile devices.” warns Check Point’s Patel.

Cyber Insurance

While cyber security insurance cover falls under the mitigation category rather than prevention, most insurers will look for evidence of a well-funded and well managed cyber security programme.

According to Jennifer Mulvihill, business development head at cyber-Insurance and legal at BlueVoyant, the severity and frequency of ransomware attacks has meant that cyber insurers are increasing their premiums and designing stricter and more technical underwriting guidelines.

“If your company can demonstrate its well-prepared for a cyber-attack, cyber insurance premiums may be reduced, or at least barred from a significant increase,” she says.

These requirements may include basic cyber security best practice such as the implementation of MFA across the enterprise and a robust MDR that provides 24/7 monitoring.

“Carriers are also seeking evidence that the business has dedicated experts that allows them to effectively respond to a cyber-attack, or at least have an IR retainer in place to partner with outside forensic experts,” Mulvihill adds.

When shopping around for insurance, to select the appropriate cover, businesses should consider the importance of each system or data set to their operations and check whether losses to third parties are covered, as well as looking at what other services the insurer offers in an event of an attack to response.